Diving Deep Into PDF Exploit Kits at Black Hat Europe 2014

While I was at Black Hat Europe 2014 in Amsterdam this week, I sat through a great hands-on workshop called “PDF Attack: A Journey From the Exploit Kit to the Shellcode.” In this session, Jose Miguel Esparza demonstrated some of the latest exploit kits and how to analyze and deconstruct them.

Exploits have become more advanced, targeted, and evasive

Jose began the session by describing why these exploits have been so effective in bypassing countermeasures and infecting targeted systems. Advanced targeted exploits leverage multiple evasion techniques including VM detection, country detection, IP address filtering, single-use URLs, AV detection, and many others, all of which makes them highly targeted and difficult to detect.

Next, he passed out two USB memory sticks full of malicious PDF samples and exploit kits for us to use in order to follow along with the demonstration. It felt rather ironic to willingly accept a malware infested USB stick -- especially at Black Hat! Some of the audience members wanted nothing to do with it. When it was my turn with the memory stick, I took it as my neighbor looked on in horror. He refused to even touch the thing. After carefully extracting the contents to an isolated environment, my real-time antivirus scanner lit up for a moment, identifying a few of the files as malicious, but it seemed to think most of them were just fine.

After watching Jose dissect code in PDF files for an hour or so using neat tools like peepdf, my attention turned to the contents of that memory stick. I just couldn’t wait to see what kind of damage could be done with those malicious PDFs in my test environment. I opened up the folder and did what end-users do: I double-clicked.

But wait, the exploits don’t work! I want my money back!

Well, I’m sure they worked fine for everyone else in the room, but not for me. Immediately upon opening the first PDF file, I was stopped in my tracks. No, it wasn’t my antivirus suite (which includes features like access protection, buffer overflow protection, on-access scanner, and many others, by the way). The exploit was prevented by Traps.

Traps is our new Advanced Endpoint Protection product and I happened to have it running in my test environment. I proceeded to open the remaining malicious PDFs and each was prevented by one of the Traps prevention modules as my antivirus stood idly by in its customary state of signature-based unawareness.

How was Traps able to prevent these exploits, you ask? Traps takes a fundamentally different approach to endpoint protection. Rather than trying to detect signatures or patterns of malicious behavior, Traps focuses on the exploit techniques that are common to all attacks and simply prevents those techniques from being used. To learn more about how it works, check out Traps here.